Page 13 of 55
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:28 am
by sandy
lukapaunovic wrote: ↑Sun Apr 08, 2018 11:25 am
sandy can you check
[email protected]
i'm waiting for more than 20 minutes.
I sent you access to hacked server.
serghey is not online so he can't look into it.
can anyone from vesta look into it. the disk is mounted it's in rescue mode.
sorry i'm not from vesta, from else where
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:33 am
by lukapaunovic
damn i mistaken u for this other member
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:54 am
by StudioMaX
A bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00
I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56
In SQL dump of this "session" table from "roundcube" database I found new session at the same time:
Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('ajhkl541vskuji31ss3tadl7gc', '2018-04-04 16:24:54', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');
119.82.29.17 - looks like attacker's or bot's IP
But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01
Code: Select all
INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('1a6f1ft5oo732eju8p6mldlag1', '2018-03-24 23:02:01', '119.82.29.17', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');
All other tables in "roundcube" database were empty (since I do not use Roundcube).
I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:56 am
by lukapaunovic
was the vesta service stopped when new server got breached?
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:58 am
by sandy
lukapaunovic wrote: ↑Sun Apr 08, 2018 11:56 am
was the vesta service stopped when new server got breached?
no, but server hangs because of outbound ddos
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:58 am
by lukapaunovic
Hey yes you are right the session in roundcube file editing time coresponds with /etc/init.d/update
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 11:59 am
by ivcha92
Hi i just send access to readonly ftp to
[email protected]
My serves is on OVH and its in rescue64-ftp mode. Haven't contacted them yes. Has anyone been able to reactivate the server on OVH ? I am still waiting to get to bottom of the issue so when I contact them to know the exact details of the issue.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:02 pm
by lukapaunovic
Hey here are affected files in that time range see
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:05 pm
by sandy
ivcha92 wrote: ↑Sun Apr 08, 2018 11:59 am
Hi i just send access to readonly ftp to
[email protected]
My serves is on OVH and its in rescue64-ftp mode. Haven't contacted them yes. Has anyone been able to reactivate the server on OVH ? I am still waiting to get to bottom of the issue so when I contact them to know the exact details of the issue.
only way to backup your data and reinstall the server OS.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:06 pm
by StudioMaX
Also I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these:
Code: Select all
/etc/cron.hourly/gcc.sh
/etc/rc.d/init.d/update
/etc/rc.d/rc1.d/S90update
/etc/rc.d/rc2.d/S90update
/etc/rc.d/rc3.d/S90update
/etc/rc.d/rc4.d/S90update
/etc/rc.d/rc5.d/S90update
/usr/lib/libudev.so
/tmp/update
But in any case, if your server was infected, you will need to reinstall it.